New to Radius in general, I’m currently using it to connect our users on L2TP on MikroTik (RouterOS 7.16.2), with Freeradius (3.0.21) using Samba AD (4.17.12-Debian) as the backend. It works great, users and computers are members of the AD, so it’s using mschapv2 and ntlm_auth. Now, I would like to setup a hotspot on mikrotik to authenticate the users to the same Samba AD, the thing is, Mikrotik only supports CHAP and PAP. As far as I understand, Samba AD only supports mschapv2 so it seems I’m stuck with PAP as the common mechanism. Am I right ? If so, as I’m still using the default site, is there a guide to use ntlm_auth with PAP as a fallback mechanism if mschap and eventually chap (keeping it just in case I can use it for something else later) fail? Or do you guys have a better idea for my needs please? -- Cordialement, Adnan RIHAN GPG: D433-5C63 (https://keybase.io/max13/key.asc) ⇒ Si vous n’utilisez pas GPG/PGP mais voulez m’envoyer un e-mail chiffré: https://encrypt.to/0xD4335C63.
On Feb 10, 2025, at 7:20 PM, Adnan RIHAN <axel50397@gmail.com> wrote:
It works great, users and computers are members of the AD, so it’s using mschapv2 and ntlm_auth.
That's good.
Now, I would like to setup a hotspot on mikrotik to authenticate the users to the same Samba AD, the thing is, Mikrotik only supports CHAP and PAP. As far as I understand, Samba AD only supports mschapv2 so it seems I’m stuck with PAP as the common mechanism. Am I right ?
If the RADIUS server receives User-Password (ie. PAP),then you can skip ntlm_auth, and just verify the password directly via the LDAP module. See mods-available/ldap for more information.
If so, as I’m still using the default site, is there a guide to use ntlm_auth with PAP as a fallback mechanism if mschap and eventually chap (keeping it just in case I can use it for something else later) fail? Or do you guys have a better idea for my needs please?
You don't configure a "fallback" mechanism. The server receives either PAP or MS-CHAP, and then authenticates the user. You should set it up so that PAP requests get authenticated via LDAP, and MS-CHAP requests use ntlm_auth. Alan DeKok.
Le 11/02/2025 à 20:55, Alan DeKok a écrit :
If the RADIUS server receives User-Password (ie. PAP),then you can skip ntlm_auth, and just verify the password directly via the LDAP module. See mods-available/ldap for more information.
Thanks for the reply For my information, why skip ntlm_auth in the case I'm receiving PAP, as I'm already using ntlm_auth for mschap?
On Feb 12, 2025, at 4:52 AM, Adnan RIHAN <axel50397@gmail.com> wrote:
For my information, why skip ntlm_auth in the case I'm receiving PAP, as I'm already using ntlm_auth for mschap?
Using LDAP is simpler, faster, and has fewer intermediate pieces. You can: a) use an existing LDAP connection to check PAP passwords b) fork ntlm_auth which connects over a socket to winbind which connects to Samba which uses 1990s NT protocols to talk to Active Directory. Which one is faster and is less likely to fail? Alan DeKok.
Le 12/02/2025 à 13:08, Alan DeKok a écrit :
Using LDAP is simpler, faster, and has fewer intermediate pieces. You can:
a) use an existing LDAP connection to check PAP passwords
b) fork ntlm_auth which connects over a socket to winbind which connects to Samba which uses 1990s NT protocols to talk to Active Directory.
Which one is faster and is less likely to fail?
OK. LDAP is better. In that case, as Freeradius and Samba-AD are on the same machine, wouldn't it be possible to also use LDAP for mschap? Do you have a guide to configure LDAP for PAP in Freeradius please?
On Feb 12, 2025, at 9:59 AM, Adnan RIHAN <axel50397@gmail.com> wrote:
OK. LDAP is better.
In that case, as Freeradius and Samba-AD are on the same machine, wouldn't it be possible to also use LDAP for mschap?
No. Or at least, "no for Active Directory". If it was possible, we would be recommending it. If you're running OpenLDAP, FreeRADIUS can get the password from LDAP, and then do the MS-CHAP stuff itself. In contrast, Active Directory won't return the password via an LDAP query. so we're stuck with ntlm_auth.
Do you have a guide to configure LDAP for PAP in Freeradius please?
The server comes with substantial documentation. Try reading mods-available/ldap Alan DeKok.
participants (2)
-
Adnan RIHAN -
Alan DeKok